Multiple services operating on a single or multiple computer environment may access a shared resource. In order to control access to the shared resource, credentials (e.g., a username and password) may be provided to each of the services. The credentials may be used to identify a service, thereby enabling a central manager to grant and/or limit access to the shared resource. For example, a first service may be provided with credentials that enable the first service to read and modify data in a database, while a second service may be provided with different credentials that enable the second service to only read data in the database. That is, the credentials provided to the second service may prohibit the second service from modifying data in the database.
One of the larger concerns with implementing a credential-based access system is the strength of the credential. In particular, over a period of time, a credential may be discovered using brute force and other forms of attack. In order to decrease the likelihood that such attacks are successful, at least part of the credential, such as the password, may be changed before a security breach can occur. For example, if a known hacking technique typically takes three months to discover a given credential, the password may be changed every two months as a defensive mechanism in response to the hacking technique.
In a typical implementation, a human administrator manually changes the password for each of the services. However, giving an administrator the responsibility of managing and changing the passwords can raise a number of security issues. In one example, in order for an administrator to recall the password, the administrator may record the password on a piece of paper or some other medium. In this case, a nefarious party with access to the medium can obtain the password. In another example, the administrator who prefers to remember the password instead of recording it may choose a weaker password that can be more easily memorized. In this case, the weaker password can be more easily attacked than a stronger password. As a result, removing the responsibility from the administrator to manage and change the passwords can significantly improve the security of the computing environment.
It is with respect to these considerations and others that the disclosure made herein is presented.